Contributors

Tuesday, March 30, 2010

In November 2009, Aberdeen Group published their research paper titled, “The 2009 PCI DSS and Protecting Cardholder Data Report.”

Some of the key findings include:

• While there have been years with minimal number of cards breached, the number of incidents continues to rise virtually every year and the trend in the number of cards compromised also continues to increase.

• In a survey of 1/3 large retailers(revenue >$1B) , 1/3 mid-size retailers(revenue between $50M and $1B) and 1/3 small retailers (revenue less than $50M), the best-in-class retailers spent $135,000 in annual PCI compliance costs while all others spent $300,000. The reason the best-in-class retailers had less annual PCI Compliance costs was their adoption of technologies

• “Similarly, with protecting cardholder data, the most effective way to protect it is not to block the attacker, but to take away the attacker’s target. While all companies should do a better job of leveraging … (technologies)… to protect cardholder data in the here and now, they should also pay close attention to collaborations between payment processors and technology solution providers to promote alternatives such as end-to-end encryption and tokenization for the elimination of stored cardholder data altogether.”

Monday, March 29, 2010

Aite Group published a report in March 2010, titled “Card Fraud in the United States: The Case for Encryption. The full report is only available for purchase, but some of the key highlights are below:

• Aite Group estimates that the total cost of fraud in the United States is $8.6 billion per year, or 0.4% of the $2.1 trillion card payment industry. Of that total, just 15.9%, or $1.35 billion represents counterfeit card fraud, only 0.06% of annual card transaction volume.

• Those seeking to mitigate card fraud today should focus on encryption technologies, cutting off the source of card data for the carding networks.

• Upgrading of card technologies to EMV chip cards in the United States will not occur while U.S. Issuers and networks remain married to signature interchange. Fraud has not stopped since the introduction of EMV in the UK, but the type if fraud has moved.

• The report looked at three broad categories of solutions to combat fraud today. These were requiring additional information as part of the authorization, devaluing the magnetic stripe data and deploying higher level card technology.

• The following technologies were looked at as ways to require additional information as part of the authorization message to reduce fraudo Address Verification Serviceo Card Security Codeo 3D Secureo Physical 2 Factor Token

• Of these technologies, end to end encryption would have the greatest impact on reducing fraud. Aite Group states: “End-to-end encryption, if fully implemented nationally, would be likely to prove extremely effective in reducing counterfeit and card-not-present fraud, materially impacting the availability of U.S, Card data on the black market. Carding gangs would be forced to turn to easier pickings in less well-armored countries. We estimate that a national E2EE deployment would cut 90% of card-not-present and counterfeit cards in the United States.”

• Based on the…degree of fraud elimination, time to return in investment, time for deployment and the level of friction to adoption, end-to-end encryption provides the most thorough and feasible form of card fraud prevention today. Deployment costs would fall primarily on merchants, but this may be seen as acceptable in the context of removing some key areas of liability within the PCI DSS framework. Payback would take less than a couple of years, approximately the same time as it would for deployment.

Retail Systems Research recently published “Building Trust and Growing the Brand: The Role of Privacy and Security in Retail 2010.” (March 2010). In the report,

Eighty-eight percent consider firewalls to be very important technology enablers to protecting the customer’s security across the entire enterprise, while 80% ascribe the same value to encrypting data at every point in its movement through their organization.

The Ponemon Institute recently published a study on PCI Compliance titled “PCI DSS Trends 2010: QSA Insights Report.” Published in March 2010, the study surveyed 155 QSAs worldwide to their opinions on PCI Compliance, PCI Compliance Costs, and encryption technology. Some of the more interesting findings include:

• Encryption is the favored technology for achieving end-to-end cardholder data protection. 60 percent of QSAs believe encryption is the best means to protect card dataend-to-end, compared to 35 percent for tokenization.

• Cost of annual audits averages $225,000 for the largest merchants. Excluding technology, operating, and staff costs, the world’s largest acceptors of credit cards (also known as Tier 1 merchants) are spending an average of $225,000 on auditor expenses. 10 percent of these businesses are spending $500,000 or more annually on PCI auditors. The average spend by Tier 1 retailers was:15% $500k

• When asked what are the most effective technologies for achieving PCI DSS compliance, 3 of the 4 top answers are encryption. The top 4 answers were:

1. Firewalls

2. Encryption for data at rest

3. Encryption for data in motion

4. Endpoint encryption solutions

• The QSAs surveyed think merchant networks are the most at risk systems for data breaches, followed by merchant databases and POS systems, all places where end to end encryption will protect cardholder data. The QSAs ranked the following systems as most at risk for a cardholder data breach. End to end encryption can protect data in each of these merchant systems.

51% Merchant Networks

43% Merchant Databases

33% Point of Sale Systems

30% Payment Applications

• When asked how to best protect cardholder data, encryption was the choice 51% of QSAs as for protecting cardholder data.

Thursday, February 4, 2010

While major updates to the PCI Data Security Standard get issues with new versions, such as the one to be published later this year, the PCI Security Standards Council often releases FAQ’s that provide clarification or guidance to merchants and QSA’s. In December, the PCI SSC published an FAQ dealing with the impact of end to end encryption on PCI Scope. While couched in several disclaimers, the highlighted section below says that encrypted data can be considered out of scope if the retailer does not have the means to decrypt the data. This is a huge win for retailers looking to implement end to end encryption technology both to improve the security of cardholder data in their environment as well as reduce their on-going PCI compliance and assessment costs.

As when implementing any new payment architecture or technology, you should consult with your QSA during the evaluation, planning and implementation processes to maximize the benefits you receive when implementing a new payment architecture or technology like end to end encryption.

Is encrypted cardholder data considered cardholder data that must be protected in accordance with PCI DSS? The Council will be developing more formal guidance around this topic, leveraging information that is received through the various channels of the DSS lifecycle feedback process. Until further guidance is provided by the Council, the following should be taken into consideration regarding encrypted cardholder data.

Encryption solutions are only as good as the industry-approved algorithms and key management practices used, including security controls surrounding the encryption/decryption keys (“Keys”). If Keys are left unprotected and accessible, anyone can decrypt the data. The DSS has specific encryption key management controls (DSS 3.5 and 3.6), however, other DSS controls such as firewalls, user access controls, vulnerability management, scanning, logging and application security provide additional layers of security to prevent malicious users from gaining privileged access to networks or cardholder data environments that may grant them access to Keys. It is for this reason that encrypted cardholder data is in scope for PCI DSS.

However, encrypted data may be deemed out of scope if, and only if, it has been validated that the entity that possesses encrypted cardholder data does not have the means to decrypt it. Any technological implementation or vendor solution should be validated to ensure both physical and logical controls are in place in accordance with industry best practices, prohibiting the entity, or malicious users that may gain access to the entity’s environment, from obtaining access to Keys.

Furthermore, service providers or vendors that provide encryption solutions to merchants who have administrative access and controls to Keys along with the management of termination points for encryption to process transactions, are required to demonstrate physical and logical controls to protect cryptographic keys in accordance with industry best practices (such as NIST referenced in PCI DSS requirement 3.6), along with full compliance with PCI DSS.

Merchants should ensure their solution providers who provide key management services and/or act as the point of encryption/decryption are in compliance with PCI DSS. Merchants should be aware that encryption solutions most likely do not remove them completely from PCI DSS. Examples of where DSS would still be applicable include usage policies, agreements with service providers that deploy payment solutions, physical protection of payment assets and any legacy data and processes (such as billing, loyalty, marketing databases) within the merchant's environment that may still store, process or transmit clear text cardholder data, as that would remain in scope for PCI DSS.

The full PCI SSC FAQ’s can be found here. Click on the FAQ link in the left navigation bar. This specific FAQ can be found here.

Thursday, January 21, 2010

VeriFone has contracted with Coalfire Systems, Inc. a leading IT security consulting firm and PCI QSA to conduct an independent technical assessment of VeriShield Protect. The goal of this assessment is to determine if VeriShield Protect meets and follows industry standards, how a proper implementation of VeriShield Protect can improve the security of a retailer’s cardholder environment and the impact VeriShield Protect can have on reducing PCI scope and compliance costs.

The assessment is complete and a white paper of the findings will be published in February. The assessment by Coalfire included lab testing of the system, evaluation of VeriShield Protect as implemented at a Tier 1 retailer and a review of all planned deployment scenarios.

At NRF, Kennet Westby, Coalfire co-founder and COO, presented the initial findings from their assessment to a breakfast meeting of retail CIO’s and security executives. An executive summary from the forthcoming whitepaper was also released at NRF.

Key points from this executive summary include:

• A properly deployed VeriShield Protect solution can provide significant risk mitigation of data compromise and may be one of the most effective controls available to merchants today.

• There can be very clear and dramatic reduction of PCI compliance scope with a properly deployed VeriShield Protect solution.

• The benefit to merchants is the VeriShield Protect solution can reduce the cost of PCI compliance assessment and validation and allow them to invest more of those dollars into risk mitigating controls.

• The VeriShield Protect solution integrates securely with PC based POS or cash registers without exposing card data, encryption keys or authentication data to these platforms.

• The integration with tested payment applications and POS systems was quick, required very little customization and worked effectively with all post authorization, sales audit and refund transactions tested

• The VeriShield Protect solution meets all VISA Data Field Encryption Best Practices.

• The key management processes of the VeriShield Protect solution remove most of the challenges of key management for the merchant that are found in many previous end point encryption solutions

• The VeriFone terminal should be the only point in a merchant environment that captures card data through swipe or keyed entry to achieve the greatest security and PCI compliance scope reduction

• A payment application or POS that is not PABP/PA-DSS validated can be taken out of PCI scope if all payment data is captured through the VeriShield Protect solution and the system is cleansed of all legacy card data.

• A deployment architecture that has all card data captured in a VeriShield Protect TRSM and communicates directly to a PCI compliant processer who manages all decryption services for the merchant provides the greatest security and compliance risk mitigation.

• A merchant should have ownership rights to the decryption keys but not have access or possession of keys to achieve the greatest PCI scope reduction.

• A merchant can remove PCI compliance scope for the majority of their retail environment if all electronic card data is captured in a VeriShield Protect TRSM and no decryption appliances or decryption keys exist in their environment.

• The VSDMS provides effective compliance and security auditing for the merchant and QSA. Store validation sampling of compliance is simplified with this tool set. Compliance reporting overtime is easily evidenced for auditors using the VSDMS.

• The VeriFone VeriShield Protect solution impressed the Coalfire technical assessment team and their QSA auditors. The technology and tools are well architected and effective. The maturing of the solution based on their assessment input, customer feedback and industry best practice was equally impressive. Solution support, technical capabilities and security expertise of both VeriFone and its technology partner have benefited early customers in achieving their security and compliance goals.